From: fc@all.net (Dr. Frederick B. Cohen)
To: stripes@va.pubnix.com (Josh M. Osborne)
Message Hash: a36b654afa89945b293e370796ba51318657805b5a3b33e9b6a16736a4a4636f
Message ID: <9510240929.AA08313@all.net>
Reply To: <LAA19345.199510231500@garotte.va.pubnix.com>
UTC Datetime: 1995-10-24 09:32:25 UTC
Raw Date: Tue, 24 Oct 95 02:32:25 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Tue, 24 Oct 95 02:32:25 PDT
To: stripes@va.pubnix.com (Josh M. Osborne)
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <LAA19345.199510231500@garotte.va.pubnix.com>
Message-ID: <9510240929.AA08313@all.net>
MIME-Version: 1.0
Content-Type: text
> In message <9510231413.AA26514@all.net>, Dr. Frederick B. Cohen writes:
> [...]
> >I strongly disagree. If Netscape provided a way to execute shell
> >commands on your host from a remote computer, it would certainly be a
> >hole created by their product. The fact that the default shell is
> >potentially dangerous means it's incumbant on those who provide access
> >to it to provide adequate protection.
>
> They do, add:
>
> application/x-shell; sh %s
>
> to your .mailcap.
>
> They had better stop supporting mailcap alltogether, after all *any*
> of the programs in there could have buffer overflows, or other
> security problems. I'll bet some of them even do, anyone want to
> see if sox (a program that transforms sound files from format to
> format - frequently used to convert .wav files to .au files) has
> any overruns in the chunk handling code?
This is where the difference between your view and mine seem to part company.
I am not talking about some bug in postscript or the shell. I am talking about
a program that grants remote access to run these programs in the normal manner,
which is unsafe.
To support the position you seem to be taking (and the one currently
taken by Netscape), you would have to say that the last several Sendmail
"bugs" were not sendmail problems but rather shell problems because all
sendmail did was allow you to execute a shell from the remote machine
(perhaps via a queue file). You would also apparently say that it's
secure to allow a server to grant unlimited shell access to unknown,
unauthenticated remote users. This seems foolhearty to me.
> >If Netscape wants to claim their product doesn't degrade security, they
> >should provide a safe postscript interpreter or not provide hooks to
> >unsafe ones.
>
> Sure, and they had better find a way to keep us from editing the binary
> and adding whatever insecure features we may want to their program.
That's correct. Secure software has to have secure distribution in
order to maintain its security when distributed through an untrusted
channel. I think that Netscape uses an MD5 checksum which the members
of this list seem to place unlimited trust in (incorrectly in my view,
but that would be picking two nits with one keyboard entry).
> obcrypto: mabie it would be a good idea for programs to list problems that
> are beoynd their control. To many people it may be supprising that anything
> in their .mailcap could hurt them. To others it is hardly a shock and seeing
> alot of messages about it tends to get rather boreing, esp. as a few people
> jump up and down and yell about the Danger To Us All...
That's not true. Certain things in their .mailcap file can create
holes, but not just anything. One of the standard things we do in
external audits is look for files such as this and examine their
contents to see if unsafe configurations are in use.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”